From patchwork Thu Feb  9 12:03:01 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Colin King <colin.king@canonical.com>
X-Patchwork-Id: 9564449
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3E1B66020C
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  9 Feb 2017 12:39:29 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1D2B028497
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  9 Feb 2017 12:39:29 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 11E6A28503; Thu,  9 Feb 2017 12:39:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8935928497
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Thu,  9 Feb 2017 12:39:28 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751157AbdBIMj1 (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Thu, 9 Feb 2017 07:39:27 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:51947 "EHLO
	youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751218AbdBIMj0 (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Thu, 9 Feb 2017 07:39:26 -0500
Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76)
	(envelope-from <colin.king@canonical.com>)
	id 1cbnSk-0004Lf-HA; Thu, 09 Feb 2017 12:04:34 +0000
From: Colin King <colin.king@canonical.com>
To: Casey Schaufler <casey@schaufler-ca.com>,
	James Morris <james.l.morris@oracle.com>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	linux-security-module@vger.kernel.org
Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] Smack: fix a dereference before null check on sock->sk
Date: Thu,  9 Feb 2017 12:03:01 +0000
Message-Id: <20170209120301.28152-1-colin.king@canonical.com>
X-Mailer: git-send-email 2.10.2
MIME-Version: 1.0
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Colin Ian King <colin.king@canonical.com>

The initialisation of pointer ssp is from a dereference on sock->sk
before sock-sk is null checked, hence there is a potential for a
null pointer deference.  Fix this by moving the assignment of ssp
to just before it is used in the call to smk_ipv6_check.

Detected with CoverityScan, CID#1324196 ("Dereference before null check")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 security/smack/smack_lsm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index fc8fb31..bb17387 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2899,7 +2899,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
 #endif
 #ifdef SMACK_IPV6_SECMARK_LABELING
 	struct smack_known *rsp;
-	struct socket_smack *ssp = sock->sk->sk_security;
+	struct socket_smack *ssp;
 #endif
 
 	if (sock->sk == NULL)
@@ -2916,9 +2916,11 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
 			return -EINVAL;
 #ifdef SMACK_IPV6_SECMARK_LABELING
 		rsp = smack_ipv6host_label(sip);
-		if (rsp != NULL)
+		if (rsp != NULL) {
+			ssp = sock->sk->sk_security;
 			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
 						SMK_CONNECTING);
+		}
 #endif
 #ifdef SMACK_IPV6_PORT_LABELING
 		rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);